gsadmin/certctl
1
0
Fork 0
mirror of https://github.com/shankar0123/certctl.git synced 2026-06-07 15:51:30 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
1383fe419b8c7ee317144809c78e4830bc3cddbb
certctl/.gitignore
T
shankar0123 95cb002905 ci: supply-chain hardening (Phase 1 closure — RED-1, RED-2, TEST-L2) 
Three findings from the certctl architecture diligence audit's Phase 1
bundle (Supply-Chain Hardening) closed together in one PR since they all
touch .github/workflows/ + repo root.

RED-1 — delete tracked precompiled binary
  - deploy/test/f5-mock-icontrol/f5-mock-icontrol (8.6 MB ARM64 ELF) was
    tracked alongside the Go source that builds it. The fixture's
    Dockerfile already uses a multi-stage build that re-runs
    'go build' inside the container (line 13), so the tracked binary
    was vestigial — never actually consumed by the test wiring.
  - git rm'd. Path added to .gitignore so it doesn't re-land.
  - No Makefile target needed; the Dockerfile is the rebuild path.

RED-2 — SHA-pin every GitHub Action
  - Pre: 37 of 41 'uses:' lines were tag-pinned (@v4 etc); only
    4 were SHA-pinned (sigstore/cosign-installer + anchore/sbom-action).
  - Post: 0 / 41. Every 'uses:' line is now '@<40-char-sha>  # vN'
    (the trailing comment preserves the human-readable version for
    operator audit). SHA-pinning closes the standard supply-chain
    attack vector against GitHub Actions consumers.
  - SHAs resolved live via the GitHub API; spot-checked one.

TEST-L2 — npm audit hard gate
  - Added 'npm audit --omit=dev --audit-level=high' step to the
    Frontend Build job in ci.yml. --omit=dev excludes vitest/vite/
    eslint/etc which don't ship to operators.
  - Local run today: 0 vulnerabilities; gate enters with no triage
    backlog. Catches future regressions.

New CI guards (regression-prevention):
  - scripts/ci-guards/no-tag-pinned-actions.sh — fails the build if
    a future PR adds 'uses: foo/bar@v2' instead of SHA-pinning.
  - scripts/ci-guards/no-precompiled-binary.sh — runs file(1) over
    git ls-files output; fails on any tracked ELF/Mach-O/PE.
  - Both pass locally. CI's existing loop over scripts/ci-guards/*.sh
    picks them up automatically.

Closes: cowork/certctl-architecture-diligence-audit.html#fix-RED-1,
        cowork/certctl-architecture-diligence-audit.html#fix-RED-2,
        cowork/certctl-architecture-diligence-audit.html#fix-TEST-L2
2026-05-13 19:30:53 +00:00

96 lines
1.6 KiB
Plaintext
Raw Blame History

# Binaries for programs and plugins
*.exe
*.exe~
*.dll
*.so
*.so.*
*.dylib
bin/
# Frontend
web/node_modules/
web/dist/
# Test binary, built with `go test -c`
*.test
# Output of the go coverage tool
*.out
coverage.out
coverage.html
# Go workspace file
go.work
# Dependency directories
vendor/
# Environment variables
.env
.env.local
.env.*.local
# IDE
.idea/
.vscode/
*.swp
*.swo
*~
.DS_Store
*.iml
# Temporary files
tmp/
temp/
*.log
*.bak
# Private keys (agent-generated, never commit)
cmd/agent/*.key
cmd/agent/*.pem
# Database
*.db
*.sqlite3
# Allow migration SQL files (don't ignore *.sql globally)
# SQL files in migrations/ are tracked
# Build artifacts
certctl-server
certctl-agent
certctl-cli
/server
/agent
/cli
/mcp-server
# Private strategy docs
SECURITY_REMEDIATION.md
# OS
.DS_Store
Thumbs.db
# Local Go build/module caches (session-scoped, never committed)
/.gocache/
/.gomodcache/
/.gopath/
/.gomodcache-gopath/
# Design scratch files (session-scoped)
/.i004-design.md
/.i005-design.md
# HTTPS-Everywhere (M-007) Phase 6: the docker-compose.test.yml tls-init
# container writes ca.crt / server.crt / server.key into this directory so
# the host-side integration_test.go binary can pin the CA via
# CERTCTL_TEST_CA_BUNDLE=./certs/ca.crt. Material is regenerated on every
# `docker compose up` and never belongs in git.
/deploy/test/certs/
# Phase 1 RED-1 closure (2026-05-13): the f5-mock-icontrol Dockerfile
# rebuilds from source via multi-stage build (deploy/test/f5-mock-icontrol/
# Dockerfile line 13). The compiled ELF must not be tracked.
deploy/test/f5-mock-icontrol/f5-mock-icontrol
Reference in New Issue View Git Blame Copy Permalink